[RC] Enhanced Password Encryption v1.2.1 (With dynamic keys)

[visionviper]

Modification Name: Enhanced Password Encryption
Author: visionviper

Current status: Submitted to the MOD DB for validation.

Description: This modification changes phpBB to use encryption instead of hashing for passwords. This mod utilizes mcrypt, which supports the most powerful encryption types available. For more information on customizing the encryption for your forum check out the FAQ.

This mod can be installed to a live environment. When a user successfully logs in for the first time after the mod is installed their password will be re-encrypted.

Current Version: v1.2.1

Requirements: You PHP configuration must support mcrypt as well as whichever encryption scheme you wish to use.

Features:

• Support enhanced password encryption
• Customizable: ability to change encryption type and other things all from one config file
• Can be installed to live boards seamlessly

Download:
http://hootworld.net/Enhanced%20Passwor ... yption.zip (v1.2.1 download, 39KB)
http://www.phpbb.com/customise/db/mod/e ... ncryption/ (general information)

What does dynamic keys mean for security?
Every encryption key used is unique to the password and user. This means in the event that a hacker obtains the encrypted passwords that each and every user's password will need to be cracked individually. It also means that passwords that are the same won't show up as the same in the database (like salted hashes). The stronger a user's password, the longer this will take. Additionally, without access to the phpBB constants a hacker would have no idea what encryption scheme is being used.

Change log:
v1.2.1

• Changed key extending to happen before the encode.
• Added looped hashing.

v1.2.0

• Encryption key is now dynamic and based off of the password and initialization vector. This means each password has it's own encryption key.

v1.1.0

• Fixed the SQL error in login_forum_box function.
• Heavily modified the ModX install script.
• SQL queries for install are now done with UMIL.
• Forced re-login when attempting to change password from UCP before old password is converted to the new encryption.
• Made some small changes to make compatible with 3.0.10.

v1.0.3

• Fixed MOD X SQL queries.

v1.0.2

• Simplified password re-encryption process after mod install. Users now only need to log in.
• Implemented small code adjustments to meet PHPBB mod requirements.
• Fixed installation file to cover various DBMS.
• Fixed "account already activated" error with forgot password email activation link.

v1.0.1

• Updated encryption_config.php as well as the encryption code to make changes to the encryption type easier.

v1.0

• Initial submission to the MOD DB.

Please feel free to suggest features you might want included.

[DoYouSpeakWak]

This looks very interesting. One problem with this as i see it.

Pw will be encrypted in the database. But if the "hacker" or who ever it is has access to the db he can just read the posts and all the content. Encryption wont matter unless its on all tables with potential private information.

[visionviper]

This looks very interesting. One problem with this as i see it.

Pw will be encrypted in the database. But if the "hacker" or who ever it is has access to the db he can just read the posts and all the content. Encryption wont matter unless its on all tables with potential private information.

Yes, but even now PHPBB doesn't use full table or full database encryption. This just kicks up the encryption PHPBB uses for passwords. US-CERT considers MD5 to be cryptographically broken and therefore unsuitable for use. This mod will allow those with support of better encryption to take advantage of it.

[DoYouSpeakWak]

I cant see the reason for kicking up the encryption as you state. This mod is only usefull to protect the pw if the hacker has access the the db. if he has, alot more would have to be encrypted before the board gets any safer.

[visionviper]

I cant see the reason for kicking up the encryption as you state. This mod is only usefull to protect the pw if the hacker has access the the db. if he has, alot more would have to be encrypted before the board gets any safer.

It's one thing for a hacker to get access to all forum posts and PMs. It's another for a hacker to get a hold of the password that (let's face it) most people use on more than one site. I think that's worse.

In the PHPBB code they mention that they are in a way forced to used MD5 because it's really the only one you could say is universally supported. I'm just giving people the option to use something different.

[4_seven]

Phpbb3 password encryption and mechanism is unhackable yet. MD5 is used in phpbb2. Phpbb3 uses a much more complex technique for that (mixed with salt etc.). Means: Even if you have the user-password from its db-entry. It's worthless, bcs. you can't reconstruct the "real password" from that. It's not possible.

[visionviper]

Phpbb3 password encryption and mechanism is unhackable yet. MD5 is used in phpbb2. Phpbb3 uses a much more complex technique for that (mixed with salt etc.). Means: Even if you have the user-password from its db-entry. It's worthless, bcs. you can't reconstruct the "real password" from that. It's not possible.

Salting is especially good protecting against rainbow tables, but doesn't really help with the fact that MD5 is a terrible encryption technique when compared to AES, Twofish and other alternatives.

Software developers, Certification Authorities, website owners, and users should avoid using the MD5 algorithm in any capacity. As previous research has demonstrated, it should be considered cryptographically broken and unsuitable for further use.

Are we protecting classified data? No. But people should have the option to use stronger encryption for passwords if they choose. I just wanted to make a mod for PHPBB to give people that option

[4_seven]

No matter, the base-intention is great, so good luck for fixing the admin-password-issue..

[Paul]

You should remember that the functions phpBB uses is not pure MD5, if you read at the phpass website, you will see it is more as just that .

[visionviper]

No matter, the base-intention is great, so good luck for fixing the admin-password-issue..

I thankfully fixed that! It was some weird cache/cookie/I don't know what issue.

You should remember that the functions phpBB uses is not pure MD5, if you read at the phpass website, you will see it is more as just that .

Well I thought so since I took a look at the phpass code and they support Blowfish and Extended DES but just reading the code in functions.php it didn't really seem it was trying to take advantage of these things.

[Paul]

phpBB has removed the functionality for a reason, if you read the comments in the code, it actually explains it . It is basicly because phpBB has set a certian minimum requirement, and the requirements for these encryptions didnt meet that. This can cause problems when a board is moved and that kind of things.

[visionviper]

phpBB has removed the functionality for a reason, if you read the comments in the code, it actually explains it . It is basicly because phpBB has set a certian minimum requirement, and the requirements for these encryptions didnt meet that. This can cause problems when a board is moved and that kind of things.

I figured it had something to do with that, since you guys really have to support a wide range of things in a base PHPBB install and that is pretty much the exact reason I decided to make something more targeted.

[Neuropass]

I don't understand all this debating about the mod. Simple thank-you for bringing something different and useful to phpbb is what needed here.

[visionviper]

Whoops. Didn't realize there would be no active download link on the MODDB page. I have added a link for the v1.0.1 install to the OP.

[visionviper]

If anyone has had an opportunity to use the mod I would love feedback on it.